.\" $OpenBSD: SSL_set1_host.3,v 1.4 2021/03/31 16:56:46 tb Exp $
.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
.\"
.\" This file was written by Viktor Dukhovni <viktor@openssl.org>
.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in
.\"    the documentation and/or other materials provided with the
.\"    distribution.
.\"
.\" 3. All advertising materials mentioning features or use of this
.\"    software must display the following acknowledgment:
.\"    "This product includes software developed by the OpenSSL Project
.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
.\"
.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
.\"    endorse or promote products derived from this software without
.\"    prior written permission. For written permission, please contact
.\"    openssl-core@openssl.org.
.\"
.\" 5. Products derived from this software may not be called "OpenSSL"
.\"    nor may "OpenSSL" appear in their names without prior written
.\"    permission of the OpenSSL Project.
.\"
.\" 6. Redistributions of any form whatsoever must retain the following
.\"    acknowledgment:
.\"    "This product includes software developed by the OpenSSL Project
.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: March 31 2021 $
.Dt SSL_SET1_HOST 3
.Os
.Sh NAME
.Nm SSL_set1_host ,
.Nm SSL_set_hostflags ,
.Nm SSL_get0_peername
.Nd SSL server verification parameters
.Sh SYNOPSIS
.In openssl/ssl.h
.Ft int
.Fo SSL_set1_host
.Fa "SSL *ssl"
.Fa "const char *hostname"
.Fc
.Ft void
.Fo SSL_set_hostflags
.Fa "SSL *ssl"
.Fa "unsigned int flags"
.Fc
.Ft const char *
.Fo SSL_get0_peername
.Fa "SSL *ssl"
.Fc
.Sh DESCRIPTION
.Fn SSL_set1_host
configures a server hostname check in the
.Fa ssl
client, setting the expected DNS hostname to
.Fa hostname
and clearing any previously specified hostname.
If
.Fa hostname
is
.Dv NULL
or the empty string, name checks are not performed on the peer certificate.
If a nonempty
.Fa hostname
is specified, certificate verification automatically checks the peer
hostname via
.Xr X509_check_host 3
with
.Fa flags
set to 0.
.Pp
.Fn SSL_set_hostflags
sets the flags that will be passed to
.Xr X509_check_host 3
when name checks are applicable,
by default the flags value is 0.
See
.Xr X509_check_host 3
for the list of available flags and their meaning.
.Pp
.Fn SSL_get0_peername
returns the DNS hostname or subject CommonName from the peer certificate
that matched one of the reference identifiers.
Unless wildcard matching is disabled, the name matched in the peer
certificate may be a wildcard name.
A reference identifier starting with
.Sq \&.
indicates a parent domain prefix rather than a fixed name.
In this case, the matched peername may be a sub-domain
of the reference identifier.
The returned string is owned by the library and is no longer valid
once the associated
.Fa ssl
object is cleared or freed, or if a renegotiation takes place.
Applications must not free the return value.
.Pp
SSL clients are advised to use these functions in preference to
explicitly calling
.Xr X509_check_host 3 .
.Sh RETURN VALUES
.Fn SSL_set1_host
returns 1 for success or 0 for failure.
.Pp
.Fn SSL_get0_peername
returns the matched peername or
.Dv NULL
if peername verification is not applicable
or no trusted peername was matched.
Use
.Xr SSL_get_verify_result 3
to determine whether verification succeeded.
.Sh EXAMPLES
The calls below check the hostname.
Wildcards are supported, but they must match the entire label.
The actual name matched in the certificate (which might be a wildcard)
is retrieved, and must be copied by the application if it is to be
retained beyond the lifetime of the SSL connection.
.Bd -literal
if (!SSL_set1_host(ssl, "smtp.example.com"))
	/* error */

/* XXX: Perform SSL_connect() handshake and handle errors here */

if (SSL_get_verify_result(ssl) == X509_V_OK) {
	const char *peername = SSL_get0_peername(ssl);

	if (peername != NULL)
		/* Name checks were in scope and matched the peername */
}
.Ed
.Sh SEE ALSO
.Xr ssl 3 ,
.Xr SSL_CTX_set_verify 3 ,
.Xr SSL_get_peer_certificate 3 ,
.Xr SSL_get_verify_result 3 ,
.Xr X509_check_host 3 ,
.Xr X509_VERIFY_PARAM_set1_host 3
.Sh HISTORY
All three functions first appeared in OpenSSL 1.1.0.
.Fn SSL_set1_host
has been available since
.Ox 6.5 ,
and
.Fn SSL_set_hostflags
and
.Fn SSL_get0_peername
since
.Ox 6.9 .
